Get the most from Intel 471 CTI with existing intelligence frameworks

Security teams leverage multiple frameworks to defend their organizations against increasingly more sophisticated adversaries and evolving cyber attacks.

Aug 24, 2022

Adversaries continue to mature and evolve in both sophistication and capabilities, increasing the difficulty for security teams to defend their organizations against cyber attacks. However, multiple frameworks exist to provide assistance with combating threats.

Three of the most popular frameworks are MITRE ATT&CK™, MITRE Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND™) and the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, which allow security teams to maintain awareness of the threat landscape and the tactics, techniques and procedures (TTPs) being utilized by cybercriminals, which then lead to tailored defense mitigations for organizations at-large.

Intel 471’s General Intelligence Requirements (GIRs) can be used in conjunction with these frameworks to provide robust insights into underground threat actors. Intel 471’s GIRs are ready-made intelligence requirements that can be used to identify, organize, prioritize intelligence gaps. Plugging GIRs into these frameworks allows for consistent coverage of commonly observed threats to industry, sector, supply chain, and geographic areas of interest by taking advantage of the highly “organized” characteristics of the cybercrime underground.

Below is an example of how these CTI frameworks can be utilized to track and mitigate threats tied to a prominent underground criminal group.

HOW TO TRACK SHINYHUNTERS

ShinyHunters has been behind some of the most notable security incidents of the past few years, including breaches at AT&T, Microsoft and Tokopedia. The group operates in underground forums, offering to sell, trade or give away stolen data sets. The group does not always seek monetary gain from compromising their victims, unlike a number of other underground criminal actors. The group often leaks data across the underground for anyone to access, exacerbating the impact to victims and increasing the likelihood of the data being used for malicious purposes.

Here are all the GIRs that Intel 471 uses to track ShinyHunters’ activity:

GIR Table

The MITRE ATT&CK framework is a knowledge base of offensive tactics and techniques based on observed in-the-wild threat actor behaviors, providing an appropriate level of categorization for adversary action and specific ways of defending against it. ATT&CK is useful to threat intelligence analysts, security operations centers and incident response teams for tracking adversary behavior in a structured and repeatable way.

Here is how to track ShinyHunters’ techniques with MITRE ATT&CK:

Mitre Image

MITRE D3FEND was released with the intended purpose to “enable cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface.” As ATT&CK concentrates on offensive tactics, D3FEND allows security teams to create a common language and vocabulary around defensive methods.

MITRE D3FEND mitigations for ShinyHunters’ TTPs:

D3 FEND Image

NIST

NIST SP 800-53 provides a list of controls, management standards and guidelines to secure information systems. The guidelines adopt a multitiered approach to risk management through compliance. Controls are broken into the classes “low,” “moderate” and “high” and are based on impact. They are further split into 18 security control families, allowing organizations to select only the controls most applicable to their requirements.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Risk Assessment
  15. Security Assessment and Authorization
  16. System and Communications Protection
  17. System and Information Integrity
  18. System and Services Acquisition

By using these frameworks, security teams can communicate clear and precise goals to stakeholders. The frameworks also provide common language to describe the threat landscape, which can support information sharing and collaboration.

Here are two ways information on ShinyHunters could be shared:

Use Case Image

Want to learn more? Download Using Cyber Frameworks to Action CTI and Enhance Your Security Posture HERE